This is because it has been around for a long time, open source, free, and has many 
privacy friendly features baked right in. 


Additionally, Mozilla (the main contributor to Firefox) has always encouraged developers to 
contribute directly to its code, or to create truly privacy preserving (and respecting) 
extensions. 


FUN FACT: the official TOR browser is a fork of Firefox's source code. 


Not all of Firefox's privacy features are enabled from the start. Since Firefox does not come 
out of the box with any extensions, naturally privacy friendly extensions aren't installed by 
default. 


If you do not have Firefox installed, then you should download and install it (this guide is 
solely based on Firefox, though it may be applicable to some of its forks as well): 


Download Firefox 


Consider your threat model 


In short, your threat model when it comes to securing your online privacy is answering the 
question: 


1. "Who is your adversary (who you want to protect your data from)?" 
and you'll want to heavily consider: 

2. What resources are you willing to commit to doing so? 
For example, are you... 


e Trying to limit the invasiveness of hyper-personalized marketing and highly targeted 
ads? 

e Concealing online activity from the government (ditch the assumption that this is for 
"criminal activity only.") 

e Trying to limit what information about you is easily found/searchable by the average 
Joe? 


NOTE: There are many, many other valid reasons for wanting to preserve one's online 
privacy. 


This is definitely not saying you need a "valid reason for privacy" because the need for 
privacy is a fundamental human right. However, you should be aware of just who's eyes 
you're trying to protect your data from and the resources you're consuming to do so. 


"Resources" for most people frequently include... 
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e Your time 

e Your effort 
e Your money 
e Your sanity 


Above all else, you should be (1) aware of what genuinely does not work for your threat 
model and (2) realistic about your expectations and the resources you're willing to commit. 


Above all else, remember that not everything works for everybody. 


A word on fingerprinting... 


Be aware that more add ons/privacy settings does not necessarily protect you from more 
tracking/surveillance methods. "The more, the better" does not apply here. 


The more add ons you have, then the more unique your browser fingerprint is. 


You'll want to strike a balance between blocking tracking methods (such as scripts and 
cookies) vs blending in with "other users™ browser signatures. This can be tricky and is much 
easier said than done. 


The easiest way not to stand out like a sore thumb is not installing a ton of add ons and 
disabling Do Not Track (DNT). 


It's unrealistic to think you can prevent all fingerprinting there ever was or ever will be. 


Fingerprinting is a constantly involving (and ever-invasive) practice. Nearly every aspect of 
your system transmitted to a server can be used to fingerprint you, such as (but not limited 
to): 


e Set language preference (ex: en-US) 
Operating System 

e Screen size 

Bluetooth connections 

e IP address 

e Presence of a DNT header 

e System fonts 


It's possible to minimize what fingerprinting and tracking methods work on you - typically the 
first step, however minor, is blocking ads and the trackers that can come with them. 


Again, this comes back to threat modeling and understanding that for most people, 
attempting to stop any and all fingerprinting is simply not feasible; it can also backfire, 
causing you to be more unique amongst a sea of users. 


Menu settings 
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These are the settings that we can adjust straight from Firefox's standard menu, without 
going into more advanced settings living in the about: config section. 


Custom search settings 


Mozilla has an agreement with Google that the default search engine is set to Google 
Search. 


Hopefully, you're aware that Google Search is not at all privacy friendly. Many of the other 
search engines included with Firefox aren't too privacy friendly either, except for 
DuckDuckGo (with associated caveats). 


To access the search settings, go to Menu > Options > Search. You should be brought to a 
screen that looks like this: 


Search Shortcuts 


You'll want to be sure to choose a private search engine as your default. You can add them 
to Firefox by clicking the Find more search engines link near the bottom of the page. 


For a list of suggestions, you can visit the avoidthehack recommendations for private search 
engines. 


Additionally, you may want to consider disabling Search suggestions as well. This comes 
enabled as a default. 


A valid reasoning for disabling this setting is for the fact it sends real-time data to your default 
search engine about what you're searching; that's how you get your suggestions for what to 
search from the engine itself. 


This shouldn't be necessary if you're using a private search engine, but you may want to 
consider disabling it regardless. 
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Firefox DNS-over-HTTPS (DoH) 


Firefox introduced DNS-over-HTTPS (DoH) from within the browser sometime ago. DoH 
helps ensure that your DNS lookups - in this case, those only generated by Firefox itself) are 
secure. Additionally, Firefox partners with some "privacy-friendly DNS providers," in order to 
accomplish this. 


(An easy way to access this setting is by typing "network settings" into the search bar of the 
settings/preferences page of Firefox.) 


As of recent Firefox versions, DoH within Firefox is enabled by default depending on a 
number of criteria that the browser itself assesses: 


e Locale 

e Presence of parental controls 

Default DNS server's filtering of malicious content 
Enterprise policies for custom DNS settings 


If the last 3 points aren't "detected," then Firefox will enable its DoH setting by default. 


The goal of this is well and all, but this could prove exceedingly problematic for users who 
actually want Firefox to utilize their network's DNS settings. 


Connection Settings 


Configure Proxy Access to the Internet 
No prom 
Aulo-denect proxy settings for thes Miltyort 
Ou» system proxy settings 


MMarual proxy configuration 


Example: mozila.ceg, fiaz 192.160.1.0/24 
CONN Cho 


ns to local 001/8, and =1 are never proved 


a aot prompt for authentication i password is saved 


D 
Proxy DNS when using SOCKS v5 
E 
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For example, users who have spent some time setting up a PiHole or other network wide 
adblocker would want Firefox to use it - and not circumvent the network DNS settings with its 
built-in DoH settings. Users that fall within this general category should disable DoH within 
Firefox. Otherwise, Firefox can circumvent your network (and device) settings. 


Generally, | recommend enabling DoH within Firefox if you aren't running any kind of 
network-wide ad solution (or related) or haven't configured your home network (or specific 
device, where applicable) to use secure and privacy-friendly DNS servers. 


Ideally, you'll want to enable DoH when you're connected to any kind of unfamiliar network 
(for most people, outside their home network), especially if you can't set DNS settings on the 
device itself. 


In some cases, you can configure your network to tell Firefox to disable DoH on its own. 
More information from Mozilla. 


Content blocking 
Firefox has some content blocking capabilities, which can block: 


e Social media trackers 
e Tracking cookies 

e Cryptominers 

e Fingerprinters 


Navigate to Menu > Options > Privacy & Security. 


There are 3 different content blocking profiles to choose from: Standard, Strict, and 
Custom: 


Enhanced Tractong Protector 


Raami tor cendon ane pectoruace Pages atl wad eoreaty 


Caten 


It's up to your personal threat model to choose which profile works for you. Standard works 
for most users - especially if you're using privacy friendly add ons. 
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Be aware that Firefox's built in content blocking isn't the best, which is why | still highly 
recommend installing a trusted tracker blocking add-on. 


If Firefox's content blocking feature breaks a website, it's easy to add an exception for it at 
your discretion: 


Catarcee Tractor Protec ton a ON toe the ete O 


Telemetry 
By default, Firefox is configured to send some telemetry data from your browser to Mozilla. 


Even though Mozilla has a decent privacy policy, many privacy-conscious users will want to 
disable this backend activity of Firefox. 


Firefox Data ection and Use 


We strive to provide you with choices and collect only what we need to provide and improve 


Firefox for everyone. We ahmays atk permission before receiving personal information 
Privacy Notice 


®© Youre no longer allowing Moria to capture techeecal and imierachon Gata Al pest data 


ni be celeres wither 3) Sans, uman 
Allow Pipefox to send technical and interaction data to Mozila Leam more 
cam m 
Allow Firefox to install and fun studies View Firetox sues 
Allow Firefox to send backlogged crash reports on your betull Learn more 


HTTPS-only mode 


Firefox ships out with an HTTPS-only mode, but it's disabled by default. 


You should definitely Enable HTTPS-Only Mode in all windows. 


HTTPS-Only Mode 


HTTPS prowdes a secure. escrypied Comecbon benene freior and the wetetes pou nut Must 


7/17 


HTTPS provides a secure and encrypted connection between your browser and the sites you 
visit. Enabling HTTPS-only mode forces an HTTPS connection (if available) with every site 
you visit. 


Firefox's built-in HTTPS-only mode does the same job as the well-known HTTPS 
Everywhere add on. The HTTPS Everywhere plugin reached end-of-life (EOL) in 2022. 


Browsing history 


Firefox is configured to remember your browsing history and store site cookies between 
browsing sessions. 


Some may wish for Firefox to wipe browsing and history and cookies when exiting a session, 
as cookies can be used by servers as a tracking mechanism. Wiping browsing history helps 
preserve your privacy locally - such as in the event someone uses the device's browser right 
after you. 


To clear cookies and site data in Firefox: 


Under Cookies and Site Data enable the box "Delete cookies and site data when Firefox is 
closed" 


Cookies and Site Duta 


Manage Data 


Manage trestom 


Under History enable the box "Always use private browsing mode." 


Disable Autofill 


Autofill stores information you previously input into fields on various webpages. This can 
include items like your name, address, and phone number(s). 


If you're not careful, sometimes Autofill can store your credit card numbers and other more 
sensitive information, such as account numbers or social security numbers. 


Unfortunately, what's "remembered" is often not stored securely. This information is typically 
stored unencrypted or with weak encryption schemes. It can be harvested via what is known 
as an Autofill attack. 
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Rogue, scam, phishing, and overly invasive websites can lift what's stored by Autofill in these 
types of attacks. In some cases, legitimate websites that have been exploited in cross-site- 
scripting (XSS) attacks can also lift this data. 


Malware, specifically those labeled as "information stealers," also harvest autofill information 
and exfiltrate (send) this data to malicious actors. In this process, they can also lift session 
cookie data, data stored by installed browser extensions, passwords, and website visit 
history. 


To disable Autofill: 
Disable Autofill logins and passwords under "Logins and Passwords." 


Disable Autofill addresses and Autofill credit cards under "Forms and Autofill." 


Logra and Pasywords 


Forres and Manota 


If you choose to keep this setting enabled, then this issue can be mitigated by enabling 
HTTPS only mode. Additionally, if wanted, it appears that Firefox has now introduced 
required authentication for autofilling credit card information - however, this currently seems 
limited to just credit card information for now. 


It also becomes far less of an issue if you choose to block all JavaScript, but there are a 
number of different instances where users might not want or particularly need to go that far. 


Address Bar - Firefox Suggest 


With Firefox version 93.0, Mozilla has introduced "sponsored suggestions" for the content 
you may type in your address bar. 


This appears to be a monetization move on Mozilla's end, which in itself isn't necessarily a 
bad thing. However, ads - and AdTech in general - have earned a quite... horrid reputation 
within both the privacy (and by extension, cybersecurity) communities. And all with good 
reason(s) too; ads have been used to spread malware even on the most "legitimate sites." 
Even today, news and entertainment sites can frequently serve up malicious and 
infected ads. 


So, in other words, Firefox will now display "ads" when you type into the address bar, by 
default. 
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Fortunately this can be disabled right from within the settings: 


about:config (Advanced settings) 


These are the more advanced settings within Firefox that you can tweak for privacy. 


With the more recent versions of Firefox (and Mozilla's apparent newly aggressive release 
schedule) and dependent upon your operating system, you may find that some of the options 
here are already enabled. That's fine - some of them may still require tweaking given your 


unique situation, so you can run through them all anyway. It won't take too long! 


For each of these settings, you'll need to type about : config into your address bar. You'll 
more than likely receive a warning; click the equivalent of the "| accept" button to continue. 


Double click on each setting to change it. 
Disabling WebRTC 


WebRTC can leak your true IP address - even if you're using a VPN. This is due to a 


vulnerability, typically exploitable via JavaScript, that has yet to be properly addressed... 


Read more about WebRTC leaks. 
To disable WebRTC in Firefox: 


1. Search for media.peerconnection.enabled 
2. Change the value to false 


Tracking and Fingerprinting 
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Set privacy.resistFingerprinting to true; This tells Firefox to be more resistant to 
browser fingerprinting. Part of the Tor Uplift effort. 

Set privacy.trackingprotection.fingerprinting.enabled to true; Another setting that 
tells Firefox to resist fingerprinting. More than likely, this is already enabled if you're 
running any of Firefox's content blocking profiles from the regular menu settings. 

Set privacy.trackingprotection.cryptomining.enabled to true; Blocks pesky 
cryptominors. More than likely, this is already enabled if you're running any of Firefox 
content blocking profiles from the regular menu settings. 

Set privacy.trackingprotection.enabled to true; Blocks tracking where add-ons 
cannot, or may be configured to not block trackers on specific pages. 


e Set browser.send_pings to false; Helps prevent websites from tracking visitors’ clicks. 


For some users, this may already be set to false. 


e Set beacon.enabled to false; Stops the sending of additional analytics to web servers. 


Cookies and Referrers 


Set privacy.firstparty.isolate to true; Isolates many different types of identifying data 
that may be stored in the browser. This mostly helps to prevent tracking across varying 
domains. Part of the TOR Uplift effort. 


COOKIES: While we can control cookie settings from Firefox's regular menu settings, we 
have the ability to fine tune them more in the advanced settings. These specific settings are 
controlled with integers, outlined below: 


Set network.cookie.cookieBehavior to 4 where... 


e 0 = Accepts all cookies 

e 1 = Blocks 3rd party cookies 

e 2 = Blocks all cookies (will break many websites!) 

e 3 = Blocks cookies from unvisited sites 

e 4 = "Cookie Jar Policy" which prevents storage access to known trackers. Like 2, this 
can potentially break websites. 


Set network.cookie.lifetimePolicy to 2 where... 


e 0 = Stores all cookies indefinitely (or until you wipe browsing data) 

e 1 = Prompts you to set storage duration for each cookie encountered 

e 2 = Stores cookies for the length of your current browsing session only 
e 3 = Stores cookies for X amount of days 


REFERRERS: To keep things very simple, your browser sends a referrer header to the 
server(s) of whatever website you're connecting to. The referrer usually tells the new server 
where you were before connecting to it. The level of information provided and subsequently 
read may vary. 
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Generally, referrers are governed by universal rules (for example, no referrer will be sent if 
you're connecting from a page using HTTPS to one only using HTTP). Some websites may 
choose to request even more information from referrer headers; hence why you may want to 
limit what cross-site information they can access. 


These referrer settings in Firefox are also changed with integers, as outlined below: 
Set network.http.referer.XOriginPolicy to 1, where... 


e 0 = Send referrer in all cases 
e 1=Send referrer to same Top-Level Domain sites 
e 2=Send referrer only when hostname is a match (This can break some sites) 


Set network.http.referer.XOriginTrimmingPolicy to 2 where... 


e 0 = Send referrer with full URL (this means your browsing can even forward sensitive 
information such as session tokens) 

e 1=Send referrer with URL minus query string 

e 2=Send referrer with only scheme, host, and port information 


Read more about Referrers (external). 
Session and Device Data 


e Set dom.event.clipboardevents.enabled to false; Prevents websites from collecting 
data about what you may copy, paste, or cut from a webpage. Read more about 
clipboard security. 

e Set media.navigator.enabled to false; Prevents websites from retrieving information 
about the status of your microphone and camera on your device. 

e Set webgl.disabled to true; Disables WebGL. WebGL is an ever-present security risk 
and can be used to track/fingerprint your device. 

e Set geo.enabled to false; Disables geolocation tracking. Be aware that even when this 
is enabled, Firefox will prompt you when a site wants to use your location. Disable this 
if the usage of Google Location Services concerns you. Read more about Firefox's 
usage of Google Location Services (external). 

e Set media.eme.enabled to false; Disables auto playback of DRM-controlled HTML5 
content. When enabled, it automatically downloads Widevine Content Decryption 
Module, which is run and maintained by Google. 


Firefox can store extra data about a previous session. For example, "normal" storage about 
a previous session may include tabs you had open. Extra data can include information like 
contents of web forms, your scrollbar position, and etc. 


This setting is controlled by integers, as outlined below: 
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Set browser.sessionstore.privacy_level to 2 where... 


e 0 = Store extra session data for all sites 
e 1 = Store extra session data for unencrypted (HTTP) sites only 
e 2 = Never store extra session data 


Containers 


CONTAINERS: Container tabs force the website's you visit to only have access to a specific 
"part" of your browser's total local storage. Ultimately, this means that site preferences, login 
sessions, advertising/tracking data, and browsing history within a container won't "transfer" 
over to another. 


Containers can also be enabled by installing the Multi-Account Containers add-on. This is 
preferable and recommended, but some users may only wish to enable containers in the 
advanced settings without help of the extension. 


e Set privacy.userContext.enabled to true. 
e Set privacy.userContext.ui.enabled to true. 
e Set privacy.userContext.longPressBehavior to 2. 


Prefetching 


Set browser.urlbar.speculativeConnect.enabled to false; Disables Firefox's 
preloading/prefetching of URLs that you may want to visit based off what you're typing 
in the address bar; these aren't necessarily URLs you have connected to before. Helps 
prevents unwanted connections to sites you may not want to visit. 


To disable the entirety of Firefox's prefetching service, you'll have to change a couple of 
different settings. Prefetching enables sites to load faster but may load unwanted data on 
your browser (such as cookies) before you've even loaded the site. It's a classic case of 
security versus convenience. 


e Set network.dns.disablePrefetch to true 
e Set network.predictor.enabled to false 
e Set network.prefetch-next to false 


JavaScript 
Some users may wish to totally disable all JavaScript from being executed on their device. 
Disabling JavaScript: 


1. Type javascript:enabled 
2. Switch the value to false 
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3. Restart Firefox 


NOTE: Disabling JavaScript will break many sites you visit! 


Recommended Firefox privacy add ons 


Many of the add-ons in this list provide redundant functionality. Therefore it's likely that you 
won't need to install and run all these add ons at once. 


You may want to consider installing one add on from each category "type" and explore 


different combinations. 
Tracker blocking 


Name 


uBlock 
Origin 


Advanced: 
uMatrix 


Description Download 


uBlock Origin is a wide-spectrum blocker that blocks 
ads and trackers while being light on system resources. 


A point and click matrix-based firewall. Enables you to 
directly control any elements your browser attempts to 
connect to, what is can download, and what it can 
execute. Has been discontinued. 


Additional blocking 


Name 


LocalCDN 


Yv 


Description Download 


LocalCDN intercepts middlemen connections from 
Content Delivery Networks (CDNs) and serves them 
locally to help preserve your privacy. Forked from 
Decentraleyes. 


Repo 


Repo 
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Name 


ClearURLS 


Advanced: 
NoScript 


Description Download 


Uses over 250 rules to remove the tracking elements 
that are frequently found in URLs. Can also prevent 
some tracking injections. 


Blocks all scripts, to include JavaScript and other 
content from executing automatically or according to 
specific rules you set. You can whitelist sites you trust. 


Storage Management 


Name 


Multi- 
Account 
Containers 


E- 
ae 


Temporary 
Containers 
oN 


© 


Facebook 
Container 


Description Download 


Enhances Firefox's (ver 84) vanilla container handling 
of cookies (if enabled via about:config settings). 
Containers can be created for different websites and 
are isolated from each other. An official plugin from 
Mozilla. 


A container plugin that focuses on isolating temporary 
storage (such as cookies and other site data) from the 
rest of your browser. This add on is automatic, and will 
create temporary and separate containers for links you 
or a program might open. The containers are deleted 
automatically when you close your browsing session. 


A container plugin that is focused on specifically 
containing Facebook-related cookies and persistent 
storage. Helps limit what data Facebook automatically 
gathers about you and Facebook's tracking. Official 
Mozilla add-on. 


Repo 


Repo 
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Functionality 


Name Description Download Repo 
Terms of TOSDR is an online user rights initiative that aims 

Service; to breakdown long Terms of Service agreements 

Didn't Read while assigning ratings to each reviewed policy. 

(TOSDR) 


Additional resources 


Final thoughts 


Firefox has always been a reliable, open source, and more privacy-friendly browser 
throughout the years. 


It becomes far more private when properly configured at the "normal" and advanced" levels 
and with the help of trusted 3rd party privacy add-ons. 


Please be aware that while you may have a "hardened" Firefox, or a Firefox tweaked for 
privacy, you are not immune to all 


Always be aware that your browser is the weakest link of the privacy (and frequently, the 
security) chain, even when configured for privacy. You are not immune from all forms of 
tracking, nor all forms of fingerprinting. 


Remember what was said earlier: more is not always better when it comes to preserving 
privacy. You'll want to try to balance your approach, and tailor it to your needs and threat 
model. 


Just know that you can ultimately help preserve your privacy in the long run by making these 
tweaks in the first place. 


Download Firefox 
Input is always welcome for this guide. 
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